CVE-2026-10092 in Cincopa Video and Media Plug-In Plugin
Summary
by MITRE • 06/24/2026
The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation is possible because the plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/24/2026
The vulnerability identified in the Cincopa video and media plug-in for WordPress represents a critical stored cross-site scripting flaw that undermines the security integrity of WordPress installations. This issue affects all versions up to and including 1.163, making it a widespread concern for WordPress users who rely on this plugin for media embedding functionality. The vulnerability stems from inadequate input sanitization mechanisms within the plugin's processing logic, specifically when handling the [cincopa] shortcode within comment contexts.
The technical exploitation occurs through the plugin's utilization of the comment_text filter hook, which processes shortcode content before comments are displayed. This filter hook creates an execution point where malicious actors can inject harmful JavaScript payloads through comment submissions. The vulnerability is particularly dangerous because it operates without authentication requirements, allowing any visitor to post comments containing malicious shortcodes that persist in the database. When legitimate users access pages containing these injected comments, the stored scripts execute in their browsers, creating a persistent threat vector.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including session hijacking, credential theft, and redirection to phishing sites. The stored nature of the XSS attack means that the malicious code remains active until manually removed from the database, potentially affecting all users who view affected pages. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and it maps directly to ATT&CK technique T1566.001 for credential access through social engineering via malicious content.
Security implications of this vulnerability are significant as it transforms any WordPress site using the affected plugin into a potential vector for broader attacks. The persistence of the malicious code means that even if administrators patch the plugin, existing injected content continues to pose risks until manually cleared from the database. The lack of authentication requirements makes this attack particularly concerning for public-facing WordPress installations where comment functionality is enabled. Organizations should immediately implement mitigations including disabling comment shortcodes, implementing strict input validation, and considering temporary removal of the vulnerable plugin until a patched version is available. Additionally, monitoring for suspicious comment activity and implementing proper output escaping mechanisms becomes critical for maintaining site security.